2 factor auth using openid proposal

Till Maas opensource at till.name
Thu Jan 24 18:53:45 UTC 2013

On Thu, Jan 24, 2013 at 09:05:39AM -0800, Toshio Kuratomi wrote:

> * I know that implementing 2fa to log into fas will cause a lot of breakage
>   that we'll have to fix before we deploy:
>   - session cookie for fas would have to change so you don't have SSO
>     between FAS and other apps.

Wouldn't it be enough to add a field to the session data that stores
whether 2FA has been used or not? Then SSO is still possible from FAS to
other apps, but if a valid session is provided, FAS might only ask for
a valid token value.

>   - python-fedora api would need to be modified so it can log into fas.
>   - web apps would need to be modified so they could log into fas
>     with/without 2fa

You could allow to just concatenate the password and hardware token
values and submit this as the new password. I believe this is often
implemented with RSA tokens, where a PIN and the current token value
need to be provided as password.


More information about the infrastructure mailing list